From owner-freebsd-questions@freebsd.org Tue Dec 20 16:16:40 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1263FC89274 for ; Tue, 20 Dec 2016 16:16:40 +0000 (UTC) (envelope-from citrin+bsd@citrin.ru) Received: from hz.citrin.ru (hz.citrin.ru [88.198.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C02D1187B for ; Tue, 20 Dec 2016 16:16:39 +0000 (UTC) (envelope-from citrin+bsd@citrin.ru) Received: from x220.lan (c-24-60-168-172.hsd1.ct.comcast.net [24.60.168.172]) by hz.citrin.ru (Postfix) with ESMTPSA id 7FC70286AB2 for ; Tue, 20 Dec 2016 16:16:30 +0000 (UTC) Subject: Re: blacklistd(8) - entries don't removed To: freebsd-questions@freebsd.org References: <5ee1dcc7-643b-a7b1-7d1c-1017599bdfe5@citrin.ru> <5844BA83.8030601@gmail.com> From: Anton Yuzhaninov Message-ID: Date: Tue, 20 Dec 2016 11:16:29 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <5844BA83.8030601@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrin.ru; s=s0; t=1482250590; bh=tApbf/n3b7Vcy8GTdj2JlpUaAFnajquC1BgbI1zo5yA=; h=Subject:To:References:From:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=4EezOBzgyRR3QlRyjpHJYpl1gj+2+PBok9TYvIDbGiz2AfeklExserqO7C/okd5pGLkKmY+IKD3eDmdx+GOZSurMYgHZIZt6l0GykhBlbDv1MOoROcm1yqOQeE31dQxoCLOoMplj/OmdLOcZRLbYKHe8pKLJNm1VkMb7X1Sdi/4= X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2016 16:16:40 -0000 On 12/04/16 19:53, Ernie Luzar wrote: > Anton Yuzhaninov wrote: >> I started to use blacklistd(8) to protect sshd from bruteforce. >> >> Entries are added to ipfw table via controlprog but never removed. >> >> Blocked hosts after some time are removed from state database but even in >> blacklistd -C /usr/local/libexec/blacklistd-helper -r -d -v >> I see no attempts to run blacklistd-helper rem It turned out, that blacklistd expects string OK from blacklistd-helper script. echo 'OK' in script is workaround working for me. Some time ago this was committed to head: https://svnweb.freebsd.org/changeset/base/306695 This behavior of blacklistd is unexpected and undocumented in man though. > Seems your the first person to use this new function in 11.0. Read its > man page for email of person who ported this from openbsd and contact > him directly. It was ported from NetBSD and in NetBSD 7.0.2 blacklistd has the same problem - script should print 'OK' string. I don't like this, but it seems to be not a bug, but a bad designed feature.